Our latest security, compliance, privacy and legal information
Trust and security center
We understand that every organization’s resources, constituents, and mission are different. That’s why we have built software to meet your unique needs and help make your philanthropy easier and more impactful. Achieve your goals with Foundant’s solutions and exceptional support dedicated to your success.
Overview
Since its founding, Foundant Technologies has taken security seriously. As it has grown, the Company has continued to implement appropriate security measures, both for internal systems as well as for client-facing solutions. Growth in employees, clients, and product offerings, as well as the continued proliferation of various cyber security threats, necessitated a more formal approach to implementing and documenting security controls.
Security
We maintain our users’ data security by establishing, monitoring, and promoting industry best practices. Using a risk-based approach, we have implemented information security controls for all NIST CSF (National Institute of Standards and Technology Cybersecurity Framework). We also use Multi-Factor Authentication (MFA), providing higher security protection to clients and client communities.
Privacy
You own your data. Foundant has implemented technical and organizational measures to ensure the security, privacy, and availability of your most valuable asset.
Compliance
Foundant demonstrates our compliance with our customers and community by maintaining accreditation with multiple global standards for information security. We undergo rigorous annual audits by independent third-party auditors to validate our program and controls. View our list of compliance standards and reports.
Agreements
Easy and self-serve access to legal documents support transparency and security. View and download standard agreements and terms.
System status
Gain insights into our service availability for Foundant Solutions.
Security
The security and well-being of our customers underpin everything we do. Security is built into everything that we encompass including the organizational, architectural, and operational levels ensuring your data and solutions are safe at all times. Having deployed Foundant solutions in some of the most security-conscious organizations in both public and private sectors, we continually pursue stronger security standards. This experience goes to benefit all of our customers as we apply the same rigorous approach to security throughout our platform and organization.
Architectural security
Data processing relationship
Our data processing activities include where we process personal data about identified or identifiable natural persons on behalf of clients. Our data controller activities include where we collect personal data as part of the provisioning of the cloud service. Our approach to data processing ensures that you have full control over the data you enter into all solutions and this extends to the configured solutions themselves.
Data encryption
Data is encrypted in motion over secure HTTPS (port 443) utilizing SSL protocols and algorithms. Current encryption standards are SSL encryption using TLSv1.3, and backwards compatible with TLSv1.2 with SHA-256 with RSA \ certificate. SSL certificates are rotated annually.
Backups
For every production environment, a separate backup environment is maintained. The production environment is backed up at least once per day. In a recovery situation, the Recovery Point Objective (RPO) is under a maximum of 24 hours, and the Recovery Time Objective (RTO) is under a maximum of 8 hours.
Logical security
Role-based access controls (RBAC) govern the capabilities employees and users can execute within the platform.
Foundant supports users with multiple, concurrent organizational affiliations and different roles, and manages these users with login best practices. Username and password, and on some products and license levels, SSO access options are supported.
Single-sign-on
Foundant supports single-sign-on (SSO) on some products and license levels. Through single-sign-on users who are signed on to their internal enterprise web environment gain access to their Foundant solution without needing to log in with different credentials.
This feature provides authentication services through popular systems such as Active Directory Federation Services (ADFS), Microsoft Active Directory, and web-based identity management services such as OKTA (https://www.okta.com/).
Implementation of SSO requires configuration both within Foundant and within the system that will provide the authentication.
Foundant’s implementation of SSO acts as the Service Provider and assumes the client has the infrastructure and resources to host, configure, and manage the Identity Provider service.
Multi-factor authentication (MFA)
This feature is available for all Foundant systems. It adds an additional layer of protection to the authentication process.
Foundant supports strong authentication functionality utilizing multi-factor authentication (MFA). Through MFA, the platform supports easy-to-use authenticator tools like Google and Microsoft Authenticator (to generate software tokens), email, and SMS.
Multi-Factor authentication is role-based, allowing your organization to select only the subset of stakeholder roles where this added security is necessary.
Both physical and virtual devices support authentication with one-time passwords calculated from algorithms that are time and/or event-based.
For additional details on authentication functionality please visit our public wiki: https://wiki.Foundant.com/wiki/Multi-Factor_Authentication
Operational security
Physical security (Data center)
Foundant solutions are hosted in state-of-the-art Amazon Web Services (AWS) data centers designed to protect your application and data, ensure regulatory compliance, and maximize availability and redundancy.
Our data center partners are secure by design and employ controls that ensure that security. To help you fulfill your audit and regulatory requirements our data centers provide the strictest physical and environmental controls including:
- Governance and Risk (Third-party security attestation – SOC, ISO, NIST, PCI, HIPAA, etc. and ongoing data center risk management)
- Secure Design (Site Selection, redundancy, availability, capacity planning)
- Business Continuity & Disaster Recovery
- Physical Access Controls including employee data center access and Third-party data center access)
- Monitoring and Logging
- Surveillance and Detection (CCTV, Data Center entry points, Intrusion detection)
- Device, Asset, and Media Management
- Operational Support Systems (Power redundancy, fire detection, and suppression)
- Infrastructure Maintenance (Equipment and environment management)
Network security
We have detailed operational policies and procedures to monitor and protect our network environments. These policies and procedures are reviewed regularly and are within the scope of our SOC certification.
Included in our operational policies are internal network firewalls, Windows firewall, Web reputation filtering, suspicious connection service, IP whitelisting, and many others.
Application security
We follow Software Development Life Cycle (SDLC) processes in the platform development as well as well-defined industry-standard release and change management processes.
We employ many different application security strategies to ensure the continued security of our Foundant solutions including regular internal and external vulnerability assessments, screening of network traffic, static source code analysis for security vulnerabilities, malware detection, security scans, and regular penetration testing.
Vulnerability assessments
Penetration testing is performed against an isolated, dedicated instance of Foundant that contains no client data and tests for many security vulnerabilities.
Privacy
Like security in the cloud, privacy in the cloud is a shared responsibility between you and us. While you are a client, we become a custodian of your data. That means we store and ensure that only those with the correct permissions have access to the data you store within your Foundant solution.
Foundant’s role in privacy
Our role is to be your trusted SaaS provider, hosting and managing your data securely.
While we can be engaged to assist and support you in utilizing the software, our role is simply to store the data you upload or input into your system. While we will accommodate your organization’s privacy policies, we are not in the position to properly govern or moderate them for you.
The client’s role
As a Foundant client, you have complete control of your data and your data access policies. For that reason, it’s important that you have and can enforce your privacy policy. And, since you know exactly how you gather your data and what kind of data you collect from your community, you will need to decide how accessible it should be and who can have access to it.
This means you’re required to manage the integrity of your data, making sure that what is being shared with us is only what needs to be, or should be, shared. Based on the sensitivity of the data you collect – for example, if you collect banking information, employment details, or intellectual property, you will also need to decide who has permission to access, amend or remove any data from within your system.
Client data
We do not own Client Data, information, or material that you submit, store, or process within the system. You authorize our staff to access your system, including its Data, only to respond to service or technical problems. We do not monitor, retain beyond the terms of their service agreement, manipulate, use, or disclose any Data or any information regarding you, your account, or your users, without your prior written permission.
During the lifespan of your engagement with us, you are responsible for the integrity of your data. You may elect to cleanse, delete or remove data, where we can provide guidance in the proper steps to perform the task.
You are responsible for providing notice to users related to data collection, processing, data sharing, openness & data access, international transfer, responsibility, and accountability.
Data collection
Clients use our solutions to directly collect information from their staff and communities (communities as defined by the Client).
We collect two types of data:
Data required to support the Client’s use of the system through the Foundant support desk as expressly requested by the Client.
Aggregated, anonymized, non-demographic usage required to optimize service availability.
Notice & processing
Processes related to your Data are defined and managed by you, not Foundant. We do not process data. Our solutions act solely as a collection system for the Client.
Choices such as opt-in and opt-outs that are provided to users of the system are defined and managed by you.
Data sharing
We never share data with any other organization or person.
Openness & data access
You have full control of matters related to the configuration of your system to implement your corporate openness and data access policies. We are neutral to client policies.
Responsibility
Internal Foundant responsibilities related to the system and service delivery are defined in the Operational Procedures Guide. You are responsible for defining your internal responsibilities.
Accountability
The Operation Procedures Guide defines internal Foundant accountability related to system and service delivery. You are responsible for defining your internal accountability.
Compliance
Foundant collects, holds, and processes various kinds of data, many of which are confidential, protected, or sensitive information. To protect against unauthorized access, data breaches, and other security threats, we maintain a formalized and rigorous security program designed to ensure the security and integrity of your data.
We are obligated under various data protection legislation to have in place an institutional framework designed to ensure the security of all confidential data during its lifecycle, including clear lines of responsibility.
SOC report — Our System and Organizational Controls (SOC) Report provides information about our controls environment and may be relevant to your internal controls. The purpose of this report is to help you and your auditors understand our control environment that supports operations and compliance. The SOC reports are independent assessments of our control environment by a third-party auditor (Linford & Co).
SOC 2 Type II
The SOC 2 report is built around defined IT service parameters and examines our controls over the following five Trust Service Criteria: Privacy, Confidentiality, Processing Integrity, Availability, and Security. This report confirms we have the appropriate controls in place and that these controls are functioning over a duration of time.
Register to access our SOC2 Report↗︎.
Cyber Essentials
Effective, Government backed minimum standard scheme that protects against the most common cyber attacks – self assessed
Agreements
We are dedicated to transparent communication of and access to the Agreements governing the use of Foundant Software and Services. We’ve recently updated these Agreements to provide transparency in how we deliver services and process client data. To make it easy to find the information you’re looking for, we’ve assembled all of these Agreements in one place